From owner-freebsd-security Thu Nov 22 2:35:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from straylight.ringlet.net (sentinel.office1.bg [217.75.134.126]) by hub.freebsd.org (Postfix) with SMTP id 9A54A37B416 for ; Thu, 22 Nov 2001 02:35:47 -0800 (PST) Received: (qmail 790 invoked by uid 1000); 22 Nov 2001 10:35:10 -0000 Date: Thu, 22 Nov 2001 12:35:10 +0200 From: Peter Pentchev To: Anthony Atkielski Cc: FreeBSD Questions , freebsd-security@FreeBSD.ORG Subject: Re: setuid on nethack? Message-ID: <20011122123510.A611@straylight.oblivion.bg> Mail-Followup-To: Anthony Atkielski , FreeBSD Questions , freebsd-security@FreeBSD.ORG References: <014201c17336$40653f90$0a00000a@atkielski.com> <20011122112415.B855@straylight.oblivion.bg> <016001c17338$37d65240$0a00000a@atkielski.com> <20011122114813.C855@straylight.oblivion.bg> <016601c1733d$7a516b00$0a00000a@atkielski.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <016601c1733d$7a516b00$0a00000a@atkielski.com>; from anthony@freebie.atkielski.com on Thu, Nov 22, 2001 at 11:07:16AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 22, 2001 at 11:07:16AM +0100, Anthony Atkielski wrote: > What about in the more general case of games? Would it be a good idea to set > game files to games:games and 6511? And what about other types of executables? > > When I add ports and stuff to my system, sometimes they are picked up from some > bizarre FTP sites, and in cases where the executables do not have to be trusted, > some guidelines on how better to secure them would be welcome. I know that > often they are being rebuilt from source before installation, but it isn't > really practical to read through the source for every port just to look for > suspicious code. > > Are ports examined by anyone anywhere for security problems before being > included in the FreeBSD list of ports? Yes, they are being actively examined by the maintainer of the port in question. It is the port maintainer's job to look through the changes from version to version and to decide what and where is good and what is not. Cases have been known when a maintainer has decided not to update the port to a new version, or even to update, but disable or patch a new "feature" away. In general, yes, you can trust the ports from the Ports Collection for rebuilding from source (the source tarballs have their MD5 checksums recorded in the Ports Collection files), and the packages downloaded from FreeBSD mirrors (they are built from the Ports Collection). Still, nothing prevents you from changing BINOWN and BINMODE before building specific ports; the penv(1) utility in ports/sysutils/penv might come handy :) For packages, the situation is a bit weirder, but you could easily write a script that parses the output of pkg_info -qL, finds the executables installed by a package and fixes the ownership/permissions. G'luck, Peter -- "yields falsehood, when appended to its quotation." yields falsehood, when appended to its quotation. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message